This is my crazy password creation scheme. Using this method you will be able to create ridiculously strong passwords like Wh++2b$3,+@m@c3 yet still be able to remember the password after only a few tries. As far as I know, this scheme is not vulnerable to weaknesses in other password schemes. Read on to find out more.

What constitutes a good password/passphrase?

1) Not susceptible to dictionary attacks

Hackers use large word lists or password dictionaries to guess passwords.  Modern computers can run through enourmous word lists in very little time so any word in these dictionaries make very weak passwords. Foreign word lists also often used so don't think that because your password is French you're safe. Padding words with a few numbers helps a little but Hybrid-dictionary password cracking programs are smart enough to automatically guess passwords like "MyPass2008" using regular expression patterns. It won't be long before cracking programs will even include well known phrases like "Call me Ishmael".

2) Significant length and character scope

Assuming the cracker doesn't have access to the password hash, he/she would probably resort to brute force guessing. Brute force attacks attempt all combinations of characters until a match is found. The number of combinations is calculated as R^L where R is the range of possible characters (a-z A-Z 0-9 !@#$%...) and L is the length of the phrase. What this means is that the difficulty of guessing a passphrase increases greatly with added length or character scope. This is why most secure systems require a password length of at least 8 characters including numbers and symbols. A nice comparison of brute force time used for the calculations below can be found here.

3) Memorable

Strong passwords that are not vulnerable to dictionary or hybrid attacks are usually hard to remember which is why people tend to write them down or save the passwords in a file. Unless the file is encrypted, it's trivial for anyone with physical access to copy and use the file. I've heard stories of college students paying custodians to look for professor's passwords on post-its around the computer. Shem on them.

4) Not susceptable to the passerby problem

Thanks to Steve Gibson at GRC.com for pointing this one out. Some passwords may be guessable from a partial string of keys observed by a passerby.  For instance, if someone sees you type "ilvyu", he/she may be able to deduce that your password is "Iloveyou" <- One of the wrost passwords BTW.

Creating strong memorable passwords

Step 1 - Start with a base phrase or phrases

Choose a phrase which you'll be sure to remember. Longer and less common phrases are best. You can also combine several phrases from different sources for added security. For this example I'll use the following:

"We hold these truths to be self evident, that all men are created equal"

Step 2 - Replace special words

Many whole words can be replaced with symbols or digits. For example, replace the word "at" with the @ symbol, "and" with the & symbol, "to" with the number 2 and so fourth.

"We hold these truths 2 be self evident, that all men are created equal"

Step 3 - Replace special first letters

Try to replace the first letter of every word with look-alike symbols. For example the letter "t" becomes +, "s" becomes $, "E" becomes 3 etc. Some letters have more than one possible symbol. For instance "i" could be ! or 1.  This option increases security since hackers would have to try both, but be consistent or you'll get yourself confused in the future.

"We hold +hese +ruths 2 be $elf 3vident, +hat @ll men @re created 3qual"

Step 4 - Shrink

Keep only the first letters of each word, symbols, and punctuations and drop the rest of the phrase. The remaining blob is your password.

Wh++2b$3,+@m@c3

Try repeating the phrase in your head while typing the password. You'll soon realize how easy it is to remember this seemingly random blob once you become familiar with the logical replacements.

Testing password strength

So do passwords created in this manner pass the password tests?

Not susceptible to dictionary attacks - PASS

A password generated in this method is very unlikely to be in a word list.  If by some strange chance your generated password happens to be a normal word, pick a different phrase and start over.

Significant length and character scope - PASS

This particular passphrase is 15 characters long and includes upper and lower case alphabets, numbers and 5 different symbols which would take a supercomputer roughly 169.07 trillion years to brute force (based on 96¹⁵ combinations). As I mentioned above, you could also concatenate two or more phrases from different sources to generate bulletproof passphrases. If you concatenate "Something in the way she moves attracts me like no other lover" to the original passphrase you get:

Wh++2b$3,+@m@c3$!+w$m@mln0l

Memorable - PASS

Just remember the phrase(s) and use consistent symbol replacements and it will be very easy to remember. You can even print a cheat sheet to help you recall the replacement symbols. If you keep a cheat sheet, list the symbols you might use for all replacements, not just the ones in your current password.

Loosing your cheat sheet is not a problem because we used the first letters of a phrase as opposed to a simple word. Had we used a word, the attacker could use a fast dictionary attack and convert the words to symbols using your cheat sheet. Our deciphered password is Whtttobse,tamace. Even without the comma the attacker would need to brute force this seemingly random text which would take a supercomputer about 1.7 billion years to brute force (based on 52¹⁵ combinations).

Not susceptible to the passerby problem - PASS

As long as you don't say your phrase out loud there's no way a passerby would be able to determine the mnemonics of your passphrase.

Leave a comment below if you found this useful or have other password suggestions.